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A NETWORKING DEVICE AND METHOD FOR PROVIDING A 
PREDICTABLE MEMBERSHIP SCHEME FOR POLICY-BASED VLANS 

1. Field of the Invention 
5 The present invention relates to the field of data communications. More 

specifically, the present invention relates to a networking device and method for 
providing a predictable membership scheme for policy-based virtual local area 
networks (VLANs). 

10 2. General Background 

The ability of users to access programs and to share data over a local area 
network (referred to as "LAN") has become a necessity for most working 
environments. Frequently, as the amount of data traffic over the LAN increases, 

15 efforts have been made reduce data traffic congestion. One technique involves 
separating the LAN into multiple LAN segments, using a networking device such 
as a bridge or network switch operating at a Media Access Control (MAC) 
sublayer of the Data Link layer (layer 2) of the International Standards 
Organization (ISO) Open Systems Interconnection (OSI) reference model. For 

20 this implementation, however, all networking devices connected to the LAN still 
belong to the same broadcast domain. 

As the number of LAN segments and networking devices per segment 
increase, in many cases, the networking devices become overburdened processing 
broadcast data frames. Thus, under such circumstances, it is desirable to separate 

25 the growing data network into multiple broadcast domains. One possible 

approach for providing multiple broadcast domains is to configure the LAN with 
multiple virtual local area networks (VLANs). 

In general, a "VLAN" is a logical local area network that can roughly be 
equated to a broadcast domain. A VLAN may comprise a plurality of networking 

30 devices, perhaps on multiple LAN segments, that are not constrained by their 



003239.P080 



Patent Application 
Express Mail No. EL466332389US 



12075BAUS01U/12076BAUS01U -2- 



physical location. A network administrator determines the configuration of the 
VLAN based on a selected VLAN membership mechanism. 

For example, the most common VLAN membership mechanism is to 
classify selected groups of ports for a networking device as VLANs. For example, 
5 a first group of ports may form one VLAN while a second group of ports may 
form another VLAN. This port-based VLAN membership mechanism has a 
number of disadvantages. In particular, it does not allow for multiple VLANs to 
share the same networking device port. Also, it requires the network 
administrator to reconfigure VLAN membership each time a networking device 

10 moves from one port to another. 

An alternative solution is to utilize policy-based VLANs in which one or 
more ports are classified as a member of a VLAN if the contents of their incoming 
frames satisfy the policy associated with the VLAN. For example, if the "policy" 
for the VLAN is "protocol-based," those ports of the networking device that 

15 receive frames having a certain protocol are members of the VLAN. Besides 
protocol-based, examples of other types of "policy" include grouping based on 
source MAC address, source IP subnet and the like. 

One problem associated with policy-based VLANs is that each and every 
port of a networking device may not be able to classify untagged frames based on 

20 the policy in question. For example, the networking device may include different 
application specific integrated circuits (ASICs) responsible for different ports. 
Both of these ASICs may support different VLAN capabilities. For example, one 
ASIC may support policy-based VLANs and the other ASIC may not. Thus, this 
may result in non-uniform classification of frames depending upon the port on 

25 which they are received. 
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SUMMARY 

The invention relates to a networking device and method for providing a 
predictable membership scheme for policy-based virtual local area networks 
(VLANs). In the event that identical behavior toward expected and unexpected 
5 untagged frames is desired, a first membership scheme imposes a first set of rules 
for allowing or denying membership, changing the tagging option of a port, and 
changing the filtering option of the port. However, in the event that different 
behavior toward expected and unexpected untagged frames is desired, a second 
membership scheme may be utilized. This scheme imposes a second set of rules 
10 for allowing or denying membership and changing the tagging option of a port. 
These schemes provide greater accuracy in formulating VLANs than traditional 
techniques because it accounts for the classification for all types of frames, both 
untagged and tagged frames, as well as various tagging and filtering option 
changes. 

1 5 Other aspects and features of the present invention will become apparent 

to those ordinarily skilled in the art upon review of the following description of 
specific embodiments of the invention in conjunction with the accompanying 
claims and figures. 

20 BRIEF DESCRIPTION OF THE DRAWINGS 

The features and advantages of the present invention will become apparent 
from the following detailed description of the present invention in which: 

Figure 1 is an exemplary embodiment of a network employing a plurality 
of virtual local area networks (VLANs). 
25 Figure 2 is an exemplary embodiment of a networking device employed in 

the network of Figure 1. 

Figures 3 is a first exemplary embodiment of a flowchart describing a 
method for allowing or denying membership to a policy-based VLAN in a 
predictable manner to ensure identical behavior toward expected and unexpected 
30 untagged frames. 
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Figures 4 is a first exemplary embodiment of a flowchart describing a 
method for allowing or denying a change in the tagging option of a port to ensure 
identical behavior toward expected and unexpected untagged frames. 

Figures 5 is a first exemplary embodiment of a flowchart describing a 
method for allowing or denying a change in the filtering option of a port to ensure 
identical behavior toward expected and unexpected untagged frames. 

Figures 6 is a second exemplary embodiment of a flowchart describing a 
method for allowing or denying membership to a policy-based VLAN in a 
predictable manner to ensure different behavior toward expected and unexpected 
untagged frames. 

Figures 7 is a second exemplary embodiment of a flowchart describing a 
method for allowing or denying a change in the tagging option of a port to ensure 
different behavior toward expected and unexpected untagged frames. 

DETAILED DESCRIPTION OF THE INVENTION 
Herein, the exemplary embodiments of the present invention relate to a 
networking device and method for providing a predictable membership scheme 
for policy-based virtual local area networks (VLANs). These embodiments are 
not exclusive; rather, they merely provide a thorough understanding of the present 
invention. Well-known circuits are not set forth in detail in order to avoid 
unnecessarily obscuring the present invention. 

In the following description, certain terminology is used to describe 
features of the present invention. For example, a "link" is broadly defined as one 
or more information-carrying mediums to establish a communication pathway. 
Examples of the medium include a physical medium (e.g., electrical wire, optical 
fiber, cable, bus traces, etc.) or a wireless medium (e.g., air in combination with 
wireless signaling technology). "Logic" includes hardware and/or software that 
perform a certain function on incoming information. The software may include a 
program featuring a collection of subprograms being executable code. Examples 
of a program include an operating system, an application or even an applet for 
example. 
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The term "information" is defined as data, address, and/or control. 
Information may be transferred over the link using at least two different types of 
frames, namely "tagged" or "untagged". In accordance with an Institute of 
Electrical and Electronics Engineers (IEEE) draft standard entitled "Draft 
5 Standard 802. 1 Q/D9 IEEE Standards for Local and Metropolitan Area Networks: 
Virtual Bridged Local Area Networks," published February 20, 1998, a "tagged 
frame" is a sequence of bytes including a fixed-length field (referred to as a "tag 
header") that immediately provides the networking device with its VLAN 
identification information. The VLAN identification information identifies which 

10 particular VLAN the data within the frame will be routed. ^The "untagged frame" 
is a sequence of bytes that does not contain the tag header. 

Referring to Figure 1, a first exemplary embodiment of a network 100 in 
accordance with the invention is illustrated. The network 100 comprises one or 
more (N) networking device 1 10i-l 10 N that communicate with each other via 

15 links 120i-120 M (where M > N). Each "networking device" comprising 

processing logic (e.g., a processor, microcontroller, state machine, etc.) and a 
transceiver for receiving/transmitting information from/to another networking 
device. Examples of a networking device include a computer (e.g., server, 
mainframe, workstation, desktop, laptop, hand-held, etc.), communications 

20 equipment (e.g.. a bridge, router, switch, etc.) and the like. 

For this embodiment, one networking device 1 10i featuring a first plurality 
of ingress ports 120 and a second plurality of egress ports 130 that output 
information to another networking device 1 IO2. The ingress ports 120 can be 
members of one or more virtual local area networks (VLANs) such as VLANs 140 

25 and 141 , where VLAN 140 is based on a first policy and VLAN 141 is based on a 
different policy. Policies may include any guidelines or parameters to prioritize 
various types of data traffic (e.g., real-time video, e-mails, etc.). For example, 
VLAN 141 may include an Internet-Protocol (IP) based VLAN where all 
incoming IP frames are classified into VLAN 141. 

30 Referring now to Figure 2, an exemplary embodiment of the networking 

device 110] is shown. Networking device 110i comprises ingress ports 120 and 
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egress ports 130. The ingress ports 120 receive frames from a source such as 
another networking device. These frames may be tagged or untagged in 
accordance with the IEEE 802.1Q/D9 standard. As an illustrative example, a first 
ingress port 121 expects tagged frames only (e.g., ports 121 is a tag-only port) 
5 while a group 125 of ingress ports (e.g., ports 122-124) expect untagged frames. 
Moreover, for illustrative purposes, port 122 supports the first policy toward 
untagged frames but does not support the second policy toward untagged frames. 
Ports 123 supports the second policy, while port 124 supports both the first and 
second policies. 

10 The networking device 1 10i further comprises a processing logic 200 and 

a memory 210. The memory 210 may include non- volatile memory to contain 
software that controls a membership scheme for policy-based virtual local area 
networks (VLANs). Certain parameters used by the software may be modified 
from an external source (e.g., another networking device utilized by a network 

1 5 administrator) or may be self-modifiable based on dynamic changes to the 

network. Of course, in lieu of software, functionality to support the membership 
scheme may be implemented in hardware or firmware. 

Referring now to Figure 3, a first exemplary embodiment of a flowchart 
describing a method for providing a predictable membership scheme for a policy- 

20 based VLAN of Figure 1 is shown. This method is configured to ensure identical 
behavior toward expected and unexpected untagged frames for example. 

Herein, a policy-based VLAN (e.g., VLAN 141) is created and the 
"policy" is specified (block 300). Since both tagged and untagged frames can pass 
through any of the ingress ports associated with the networking device of Figure 2, 

25 a VLAN membership scheme may be implemented based on one or more of the 
following factors: (1) the capability of the port to classify untagged frames based 
on a particular policy; (2) the current "tagging" option of the port; and (3) the 
current "filtering" option of the port. From this scheme, VLAN membership for 
each port of the networking device is determined. A port is considered "tag-only" 

30 if the current "tagging" option is "tagged" and the current "filtering" option is 
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"filter untagged frames". When a port is configured as "tag-only", it can be said 
that untagged frames are not expected on that port. 

In particular, for this embodiment, a determination is made whether the 
port supports a particular policy classification (e.g., second policy) for untagged 
5 frames (block 310). This determination may be made either by the processing 
logic internally within the networking device itself or by logic within a device 
external to the networking device. If the port does not support that policy 
classification (e.g., ports 121 or 122 of Figure 2), a determination is made whether 
the port is a "tag-only" port (block 315). If the port is a tag-only port (e.g., port 

10 1 2 1 of Figure 2), membership to the policy-based VLAN would be allowed (block 
320). The reason for allowance of the membership is due to the fact that no 
untagged frames are expected to pass through the port. Otherwise, membership to 
the policy-based VLAN would be denied (block 325). 

If the port supports the policy classification (e.g., ports 123 and 124 of 

1 5 Figure 2), a determination is made whether the port is currently a member of 

another VLAN with the same policy (block 330). If so, membership to the policy- 
based VLAN would be denied because, while membership to multiple VLANs is 
permissible, membership to two VLANs based on the same policy is not (block 
335). If the port is currently not a member of another VLAN with the same 

20 policy, then membership to the policy-based VLAN would be allowed (block 
340). 

With respect to Figure 4, an exemplary embodiment of a flowchart 
describing a protocol for changing a "tagging" option of a port in accordance with 
the membership protocol of Figure 3 is shown. A determination is made whether 

25 the change in the "tagging" option of the port is from an "Untagged" state to a 

"Tagged" state (block 400). Similarly, this determination may be made either by 
the processing logic internally within the networking device itself or by logic 
within a device external to the networking device. If the change in the tagging 
option places the port in a Tagged state, this change is allowed because the 

30 original Untagged state would not have allowed membership that poses 
restrictions on the change in question (block 410). 
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However, in certain situations as noted above, VLAN membership maybe 
granted in light of the unexpected nature of untagged frames of a "tag-only" port. 
Thus, a change in a tagging option of the port from a Tagged state to an Untagged 
state requires a second determination; namely, whether the port is currently a 
5 member of any VLAN whose certain policy type for untagged frames is not 

supported (block 420). If the port is not a member of a VLAN whose policy type 
is not supported by this port for untagged frames, the change in the tagging option 
is allowed (block 430). Otherwise, the change in the tagging option is denied 
because this port is required to remain "tag-only" (block 440). 

1 0 With respect to Figure 5, an exemplary embodiment of a flowchart 

describing a protocol for changing a "filtering" option of a port in accordance with 
the membership protocol of Figure 3 is shown. A determination whether to allow 
a change in the filtering option is made either by the processing logic internally 
within the networking device itself or by logic within a device external to the 

15 networking device. The change in the filtering option is allowed when occurring 
from a "Do Not Filter" state to a "Do Filter" state (blocks 500 and 510). 

If the filtering option is changed from a "Do Filter" state to a "Do Not 
Filter" state, a determination is made whether the port is a currently member of 
any VLAN whose policy for untagged frames is not supported (block 520). If the 

20 port is not a member of a VLAN whose policy type for untagged frames is not 

supported, the change in the filtering option is allowed (block 530). However, if 
the port is currently a member of a VLAN whose policy type for untagged frames 
is not supported, the change in the filtering option is denied (block 540). 

Referring now to Figure 6, a second exemplary embodiment of a flowchart 

25 describing a method for providing a predictable membership scheme for a policy- 
based VLAN of Figure 1 is shown. This method is configured to allow 
membership into multiple policy-based VLANs when untagged frames are not 
expected. This method employs different behavior toward expected and 
unexpected untagged frames. In this method, untagged frames are considered to 

30 be unexpected if the tagging option is "tagged". Herein, a policy-based VLAN is 
created and the "policy" is specified (block 600). Since both tagged and untagged 
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frames can pass through the ingress ports associated with a VLAN, a mechanism 
may be implemented based on a port's capability to classify untagged frames 
based on the policy and its current "tagging" option. 

In particular, for this embodiment, a determination is made whether the 
5 port is currently in a Tagged state (block 610). If so, membership to the VLAN is 
allowed and untagged frames will be classified based on a Port VLAN 
Identification (PVID) for this port (block 615). If the port currently in an 
Untagged state, a subsequent determination is made whether the port supports the 
policy-based classification of this VLAN (block 620). If the port does not support 

1 0 the policy-based classification of the VLAN, membership to the VLAN is denied 
(block 625). Otherwise, yet another subsequent determination is whether the port 
already is a member of another VLAN with the same policy (block 630). If so, 
membership to the VLAN is denied (block 635). If the port is not a member of 
another VLAN with the same policy, membership to the VLAN is allowed (block 

15 640). 

With respect to Figure 7, an exemplary embodiment of a flowchart 
describing a protocol for changing a "tagging" option of a port in accordance with 
the membership protocol of Figure 6 is shown. First, a determination is made 
whether the change in the tagging option is from an Untagged port to a Tagged 

20 port (block 700). If so, the change in the tagging option is allowed because the 
original Untagged state would not have allowed membership that poses 
restrictions on the change in question and all untagged frames will now be 
classified based on PVID (block 710). If not, a determination is made whether the 
port is a member of a VLAN whose policy type for untagged frames is not 

25 supported (block 720). If the port is a member of a VLAN whose policy type for 
untagged frames is not supported, the change in the tagging option is denied 
(block 730). If the port is not a member of a VLAN whose policy type for 
untagged frames is not supported, a determination is made whether the port 
already belongs to a VLAN having the same policy (block 740). If so, the change 

30 in the tagging option is denied (block 750). If not, the change in the tagging 
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option is allowed so that untagged frames will now be considered for 
classification based on policy (block 760). 

While certain exemplary embodiments have been described and shown in 
the accompanying drawings, it is to be understood that such embodiments are 
merely illustrative of and not restrictive on the broad invention, and that this 
invention not be limited to the specific constructions and arrangements shown and 
described, since various other modifications may occur to those ordinarily skilled 
in the art. 
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CLAIMS 

What is claimed is: 



1 1. A method comprising: 

2 determining whether a predetermined policy followed by a first virtual 

3 local area network (VLAN) is supported by a port of a networking device; 

4 disallowing the port membership to the first VLAN if the port fails to support 

5 the predetermined policy; and 

6 allowing the port membership to the first VLAN if the port fails to support the 

7 predetermined policy and the port constitutes a tag-only port. 

1 2. The method of claim 1 further comprising: 

2 disallowing the port membership to the first VLAN if the port supports the 

3 predetermined policy and is a current member of a second VLAN following the 

4 predetermined policy. 

1 3. The method of claim 2 further comprising: 

2 allowing the port membership to the first VLAN if the port supports the 

3 predetermined policy and is not a current member of a second VLAN following the 

4 predetermined policy. 

1 4. The method of claim 1, wherein the predetermined policy is associated 

2 with untagged frames. 

1 5. The method of claim 1 further comprising: 

2 determining whether a change of a tagging option of the port is requested; and 

3 allowing the change in the tagging option from an untagged state to a tagged 

4 state. 
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1 6. The method of claim 5 further comprising: 

2 disallowing the change in the tagging option if the change in the tagging 

3 option is from the tagged state to the untagged state and the port is a member of a 

4 second VLAN following the predetermined policy. 

1 7. The method of claim 6 further comprising: 

2 allowing the change in the tagging option if the change in the tagging option is 

3 from the tagged state to the untagged state and the port is not a member of the second 

4 VLAN following the predetermined policy. 

1 8. The method of claim 1 further comprising: 

2 determining whether a change of a filtering option of the port is requested; and 

3 allowing the change in the filtering option from a "Do Not Filter" state to a 

4 "Do Filter" state. 

1 9. The method of claim 8 further comprising: 

2 disallowing the change in the filtering option if the change in the filtering 

3 option is from the "Do Filter" state to the "Do Not Filter" state and the port is a 

4 member of a second VLAN following the predetermined policy. 

1 10. The method of claim 9 further comprising: 

2 allowing the change in the filtering option if the change in the filtering option 

3 is from the "Do Filter" state to the "Do Not Filter" state and the port is not a member 

4 of the second VLAN following the predetermined policy. 

1 1 1 . A method comprising: 

2 determining whether a selected port is a tag-only port; 

3 allowing membership of the port to a first virtual local area network 

4 (VLAN) if the selected port is a tag-only port; 
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5 determining whether a predetermined policy followed by the first VLAN is 

6 supported by a port of a networking device; 

7 disallowing the port membership to the first VLAN if the port fails to support 

8 the predetermined policy and the selected port is a member of a second VLAN 

9 following the predetermined policy; and 

1 0 allowing the port membership to the first VLAN if the port supports the 

1 1 predetermined policy and the selected port is not a member of the second VLAN 

1 2 following the predetermined policy. 

1 12. The method of claim 1 1 further comprising: 

2 disallowing the port membership to the first VLAN if the port supports the 

3 predetermined policy and the selected port is a member of the second VLAN 

4 following the predetermined policy. 

1 13. The method of claim 1 1 , wherein the predetermined policy is 

2 associated with untagged frames. 

1 14. The method of claim 1 1 further comprising: 

2 determining whether a change of a tagging option of the port is requested; and 

3 allowing the change in the tagging option from an untagged state to a tagged 

4 state. 

1 15. The method of claim 14 further comprising: 

2 disallowing the change in the tagging option if the change in the tagging 

3 option is from the tagged state to the untagged state and the port is a member of a 

4 second VLAN following the predetermined policy. 
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1 16. The method of claim 14 further comprising: 

2 disallowing the change in the tagging option if the change in the tagging 

3 option is from the tagged state to the untagged state and the port is a member of the 

4 second VLAN following the predetermined policy. 

1 17. The method of claim 14 further comprising: 

2 disallowing the change in the tagging option if the change in the tagging option is 

3 from the tagged state to the untagged state and the port is a member of the second 

4 VLAN following the predetermined policy. 

1 18. The method of claim 8 further comprising: 

2 disallowing the change in the filtering option if (i) the change in the filtering 

3 option is from the "Do Filter" state to the "Do Not Filter" state, (ii) the port is a 

4 member of a VLAN having a policy that fails to support untagged frames, and (iii) the 

5 port is a member of a second VLAN following the predetermined policy. 

1 19. A networking device comprising: 

2 a plurality of ports; and 

3 a processing unit to control membership of at least one of the plurality of 

4 ports to a policy-based virtual local area network (VLAN), the processing unit to 

5 determine whether a predetermined policy followed by the policy-based VLAN is 

6 supported by the at least one of the plurality of ports, and to allow the at least one 

7 port of the plurality of ports membership to the policy-based VLAN if the at least 

8 one port fails to support the predetermined policy and constitutes a tag-only port. 
9 

1 20. The networking device of claim 1 9, wherein the processing unit 

2 further disallows the at least one port of the plurality of ports membership to the 

3 policy-based VLAN if the at least one port fails to support the predetermined 

4 policy. 
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1 21. The networking device of claim 20, wherein the processing unit further 

2 disallows membership to the policy-based VLAN if the port supports the 

3 predetermined policy and is also a current member of another VLAN following the 

4 predetermined policy. 

1 22. The networking device of claim 21 , wherein the predetermined policy 

2 is associated with untagged frames. 

1 23. The networking device of claim 19, wherein the processing unit further 

2 determines whether a change of a tagging option of the at least one port is requested 

3 and allows the change in the tagging option if the tagging option is changed from an 

4 untagged state to a tagged state. 

1 24. The networking device of claim 23, wherein the processing unit further 

2 disallows the change in the tagging option if the change in the tagging option is from 

3 the tagged state to the untagged state and the at least one port is a member of another 

4 VLAN following the predetermined policy. 

1 25. A program loaded in memory of a networking device for execution 

2 therein, the program comprising: 

3 a first subprogram to determine whether a predetermined policy followed 

4 by the policy-based VLAN is supported by a port of a networking device; 

5 a second subprogram to disallow the at least one port of the plurality of ports 

6 membership to the policy-based VLAN if the at least one port fails to support the 

7 predetermined policy; and 

8 a third subprogram to allow the at least one port of the plurality of ports 

9 membership to the policy-based VLAN if the at least one port fails to support the 
1 0 predetermined policy and constitutes a tag-only port. 
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ABSTRACT 

A networking device and method for providing a predictable membership 
scheme for policy-based virtual local area networks (VLANs). In the event that 
identical behavior toward incoming expected and unexpected untagged frames is 
desired, a first membership scheme imposes a first set of rules while a second 
membership scheme, having a second set of rules, is used if expected and 
unexpected untagged frames are treated differently. 
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